A cryptographic processing apparatus uses a specific algorithm to encrypt plain text and decrypt cipher text. A side channel attack on the cryptographic processing apparatus has been reported. The side channel attack includes passive attacks that simply measure power consumption or an electromagnetic wave during operation to derive an internal secret key, such as simple power analysis (SPA), differential power analysis (DPA), and similar analysis. The side channel attack leaves no evidence of the attack. Thus, there is a need for a countermeasure technique, and this is important.
The side channel attack is performed by deriving a secret key where power consumption or an electromagnetic wave has high similarity to intermediate data (data in the middle of an encryption process). The power consumption and the electromagnetic wave are measurable during operation of an encryption process or a decryption process. The intermediate data is calculated from a secret key to be estimated. The known countermeasure for the side channel attack includes a countermeasure method (mask countermeasure) that invalidates the side channel attack. This method uses a random number to hide the intermediate data of the encryption process, and makes it difficult to determine degree of similarity, thus invalidating the side channel attack.
In a typical block cipher method such as Advanced Encryption Standard (AES), a countermeasure employs a method that calculates an exclusive OR (XOR) between the intermediate data and the random number or a method that multiplies the intermediate data by the random number. Here, in the case where the mask countermeasure is applied to the non-linear process in the encryption process, the mask countermeasure using the exclusive OR with the random number, which is randomly generated, is not simply applicable due to the nature of the non-linear process. In view of this, a typical method uses a table that determines correspondence relation between input and output of the non-linear process to ensure the mask countermeasure in the non-linear process. However, in the mask countermeasure using the table, the number of tables to be used is limited in order to prevent a circuit size from significantly increasing. This reduces randomness.
On the other hand, the mask countermeasure using the multiplication of the random number works better with a non-linear process using the multiplication such as inverse operation of AES thanks to its mathematical property. However, vulnerability of the side channel attack has been reported.
Accordingly, in the known cryptographic processing apparatus, it has been difficult to take adequate countermeasures against the side channel attack, especially in the non-linear process. Therefore, there has been a need for enhancement of safety against the side channel attack.